Skip to content

Commit 448717c

Browse files
committed
fix(security): avoid logging license keys
Remove the generated activation key from license creation logs and add a regression test to ensure keys stay out of log output.
1 parent 20b7d07 commit 448717c

2 files changed

Lines changed: 75 additions & 1 deletion

File tree

server/src/services/license-guard.js

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -139,7 +139,7 @@ module.exports = ({ strapi }) => {
139139

140140
const data = await response.json();
141141
if (data.success) {
142-
log.info('[SUCCESS] License created:', data.data.licenseKey);
142+
log.info('[SUCCESS] License created');
143143
return data.data;
144144
}
145145
log.warn('[WARNING] License creation rejected by server:', data.message || 'unknown');

tests/license-guard.test.js

Lines changed: 74 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,74 @@
1+
'use strict';
2+
3+
const assert = require('node:assert/strict');
4+
const test = require('node:test');
5+
6+
const createLicenseGuard = require('../server/src/services/license-guard');
7+
8+
function createStrapi(logs) {
9+
const stored = {};
10+
11+
return {
12+
config: {
13+
get(key) {
14+
if (key === 'plugin::magic-sessionmanager') {
15+
return { debug: true };
16+
}
17+
if (key === 'info.strapi') {
18+
return '5.0.0';
19+
}
20+
return {};
21+
},
22+
},
23+
store: () => ({
24+
get: async ({ key }) => stored[key] || null,
25+
set: async ({ key, value }) => {
26+
stored[key] = value;
27+
},
28+
}),
29+
log: {
30+
info(message) {
31+
logs.push(['info', message]);
32+
},
33+
warn(message) {
34+
logs.push(['warn', message]);
35+
},
36+
error(message) {
37+
logs.push(['error', message]);
38+
},
39+
debug(message) {
40+
logs.push(['debug', message]);
41+
},
42+
},
43+
};
44+
}
45+
46+
test('createLicense does not write the generated license key to logs', async () => {
47+
const previousFetch = global.fetch;
48+
const logs = [];
49+
const secretLicenseKey = 'sk_live_secret_license_key';
50+
51+
global.fetch = async () => ({
52+
json: async () => ({
53+
success: true,
54+
data: {
55+
licenseKey: secretLicenseKey,
56+
email: 'admin@example.com',
57+
},
58+
}),
59+
});
60+
61+
try {
62+
const service = createLicenseGuard({ strapi: createStrapi(logs) });
63+
const license = await service.createLicense({
64+
email: 'admin@example.com',
65+
firstName: 'Admin',
66+
lastName: 'User',
67+
});
68+
69+
assert.equal(license.licenseKey, secretLicenseKey);
70+
assert.equal(JSON.stringify(logs).includes(secretLicenseKey), false);
71+
} finally {
72+
global.fetch = previousFetch;
73+
}
74+
});

0 commit comments

Comments
 (0)